Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ea5b80bcf314f2f…

MALICIOUS

PDF

113.8 KB Created: 2021-04-19 00:59:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 041cf5fb1b4049c20fa35e808b1a0d4d SHA-1: e149ced1e5f21355231417d7831d40232dffa9a6 SHA-256: 7ea5b80bcf314f2f74faf3f3862054180245a098371bfa8624451611cafd637b
186 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF contains heuristics indicating it is a credential phishing lure impersonating 'Target' and uses a redirector URL. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded URLs point to suspicious domains, likely part of the phishing infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Brand-impersonation credential phishing lure critical SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: action link to abused redirector https://puwawegolawibot.weebly.com/uploads/1/3/2/6/132682739/0109c9ae318fbbf.pdf.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/strik?utm_term=nietzsche+philosopher+psychologist+antichrist+pdf+drive PDF link annotation
    • http://proba7.xyz/827659939390yjla.pdfIn PDF document text
    • https://cdn.sqhk.co/tuseliwi/5njc37w/mi_pattern_lock_screen_apk_download.pdfIn PDF document text
    • http://xufonewujisos.scienceontheweb.net/7586804682.pdfIn PDF document text
    • https://puwawegolawibot.weebly.com/uploads/1/3/2/6/132682739/0109c9ae318fbbf.pdfIn PDF document text
    • https://gonupedifi.weebly.com/uploads/1/3/4/5/134524362/50adb70f04d4c6.pdfIn PDF document text
    • https://cdn.sqhk.co/fagaxirupunu/ijgintD/begejisukinenural.pdfIn PDF document text
    • http://afracheat5.xyz/vazeropofapozokosy.pdfIn PDF document text
    • https://cdn.sqhk.co/nazixasinuti/4hcjaKQ/39804150023.pdfIn PDF document text
    • https://lafowujokunoro.weebly.com/uploads/1/3/0/7/130738997/kovinewebom.pdfIn PDF document text
    • https://cdn.sqhk.co/libazosu/bkigiic/37342333961.pdfIn PDF document text
    • https://cdn.sqhk.co/diratukuz/iehdjiT/33737562703.pdfIn PDF document text
    • http://save50it.pro/kekenujiletef1f715.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://xizokenimufewom.atwebpages.com/retirement_age_in_malaysia.pdfIn PDF document text
    • https://03df18d0-0a94-4077-8b44-1f3cf8b7c870.filesusr.com/ugd/23a6c3_58d6a735e52f442f9d6c548b4b5c2e08.pdf?index=trueIn PDF document text
    • https://b32521b7-32ca-447e-9967-d27d0dce683d.filesusr.com/ugd/800b88_b4c19850b15d4741b930a33ed19c93a7.pdf?index=trueIn PDF document text
    • https://b1c30c75-ab46-439a-884d-3836ae4b8a49.filesusr.com/ugd/2d1648_8726a7e284b247f4b067f51e5671aa30.pdf?index=trueIn PDF document text
    • https://584abdf6-e408-48d3-a53c-4313a8f82471.filesusr.com/ugd/18ee90_f85c2e18e3bb4076b25a6500f7e7e12b.pdf?index=trueIn PDF document text
    • https://590703a0-be71-4d3c-a49f-17767d5969ef.filesusr.com/ugd/656c20_7f8befde5f6f40c7874355f27d78e1ca.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00017e26.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x17E26 5596 bytes
SHA-256: 27d414666bc3476e354ed58ecb65c754bac1039c26d0ec1e1df59388f6527961
font_01_sfnt_off0001914f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1914F 11220 bytes
SHA-256: 55b7199eddb888b9e6590574b098cde7bdb37a50389b0b320a2b6471490bb3e0